server: fix fips_mode stat (#16140)

Commit Message: Fix fips_mode stat by using a static variable to check if the ssl version is fips compliant or not. Additional Description: Originally added as part of #14719 Risk Level: Low Testing: Updated unit tests Docs Changes: None. Already documented Release Notes: Platform Specific Features: Signed-off-by: Ravindra Akella <rakella@salesforce.com>
envoyproxy · Apr 29, 2021 · 265275e · 265275e
1 parent 3e96780
commit 265275e
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 5 deletions.
diff --git a/source/common/version/BUILD b/source/common/version/BUILD
@@ -59,7 +59,10 @@ envoy_cc_library(
     name = "version_lib",
     srcs = ["version.cc"],
     copts = envoy_select_boringssl(
-        ["-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""],
+        [
+            "-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\"",
+            "-DENVOY_SSL_FIPS",
+        ],
         ["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""],
     ),
     deps = [

diff --git a/source/common/version/version.cc b/source/common/version/version.cc
@@ -37,11 +37,11 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() {
 }
 
 bool VersionInfo::sslFipsCompliant() {
-  bool fipsCompliant = false;
-#ifdef BORINGSSL_FIPS
-  fipsCompliant = true;
+#ifdef ENVOY_SSL_FIPS
+  return true;
+#else
+  return false;
 #endif
-  return fipsCompliant;
 }
 
 const std::string& VersionInfo::buildType() {

diff --git a/test/common/common/BUILD b/test/common/common/BUILD
@@ -5,6 +5,7 @@ load(
     "envoy_cc_fuzz_test",
     "envoy_cc_test",
     "envoy_package",
+    "envoy_select_boringssl",
 )
 
 licenses(["notice"])  # Apache 2
@@ -389,6 +390,7 @@ envoy_cc_test(
 envoy_cc_test(
     name = "version_test",
     srcs = ["version_test.cc"],
+    copts = envoy_select_boringssl(["-DENVOY_SSL_FIPS"]),
     external_deps = [
         "abseil_strings",
     ],

diff --git a/test/common/common/version_test.cc b/test/common/common/version_test.cc
@@ -11,6 +11,7 @@ class VersionInfoTestPeer {
 public:
   static const std::string& buildType() { return VersionInfo::buildType(); }
   static const std::string& sslVersion() { return VersionInfo::sslVersion(); }
+  static bool sslFipsCompliant() { return VersionInfo::sslFipsCompliant(); }
   static envoy::config::core::v3::BuildVersion makeBuildVersion(const char* version) {
     return VersionInfo::makeBuildVersion(version);
   }
@@ -34,6 +35,11 @@ TEST(VersionTest, BuildVersion) {
             fields.at(BuildVersionMetadataKeys::get().RevisionStatus).string_value());
   EXPECT_EQ(VersionInfoTestPeer::buildType(),
             fields.at(BuildVersionMetadataKeys::get().BuildType).string_value());
+#ifdef ENVOY_SSL_FIPS
+  EXPECT_TRUE(VersionInfoTestPeer::sslFipsCompliant());
+#else
+  EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant());
+#endif
   EXPECT_EQ(VersionInfoTestPeer::sslVersion(),
             fields.at(BuildVersionMetadataKeys::get().SslVersion).string_value());
 }
@@ -45,6 +51,11 @@ TEST(VersionTest, MakeBuildVersionWithLabel) {
   EXPECT_EQ(3, build_version.version().patch());
   const auto& fields = build_version.metadata().fields();
   EXPECT_GE(fields.size(), 1);
+#ifdef ENVOY_SSL_FIPS
+  EXPECT_TRUE(VersionInfoTestPeer::sslFipsCompliant());
+#else
+  EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant());
+#endif
   EXPECT_EQ("foo-bar", fields.at(BuildVersionMetadataKeys::get().BuildLabel).string_value());
 }